Current radix-based implementation of lookup tables in ipfw does not support non-contiguous prefixes while this type of lookup is needed to write CPU-effective firewall configurations.
For some of the cases one can reach the goal using a masked table lookup by:
- adding masked (e.g. zero non-significant bits) records into a table
- zero non-significant bits in lookup key prior to making a table lookup
Most of the code for this feature was merged by D46183 with bitmask support for numeric (32bit) lookups leaving IP-address lookups out of scope.
The differential adds support for bitmask numeric, IP-address and MAC-address lookups as well as documents and provides tests for this feature.
Here's excerpt from man page explaining the feature:
lookup {dst-ip | dst-ip4 | dst-ip6 | dst-port | dst-mac | src-ip |
src-ip4 | src-ip6 | src-port | src-mac | uid | jail | dscp |
mark}[:bitmask] name
Search an entry in lookup table name that matches the field
specified as argument. If not found, the match fails.
Otherwise, the match succeeds and tablearg is set to the value
extracted from the table.
If an optional 32-bit unsigned bitmask is specified, value of the
field is altered by bitwize AND with bitmask and resulting value
is being searched instead of original one. The bitmask is
accepted in the following formats:
1. A dotted-quad form, e.g. 127.88.34.0
2. A number, e.g. 0xf00baa1 or 255
3. As an IPv6 address when specified alongwith dst-ip6 or
src-ip6 field. If used, the rule will match IPv6 packets
only. Example: src-ip6:afff:ff00:ffff:ffff:0:0:0:0f0f.
4. As a Ethernet mac address when specified alongwith
dst-mac or src-mac field.
The bitmask can not be specified for dst-ip or src-ip as these
field specifiers lookup both IPv4 and IPv6 addresses.
This option can be useful to quickly dispatch traffic based on
certain packet fields. The bitmask allows to implement wildcard
lookups by inserting into table masked prefix and appying bitmask
upon each lookup.
See the LOOKUP TABLES section below for more information on
lookup tables.